Hello Fortinet Community,
I have a network environment consisting of a FortiGate , Windows Active Directory 2019, Huawei iMaster NAC, and a newly purchased FortiAuthenticator . Both the FortiGate firewall and Huawei NAC are configured to authenticate users from Windows Active Directory using LDAP.
Here’s the current workflow:
The issue arises because users are required to enter their credentials twice: once for NAC authentication and again for the FortiGate firewall captive portal. This dual authentication is inconvenient and negatively impacts the user experience.
Unfortunately, I cannot utilize Fortinet Single Sign-On (FSSO) as a solution because many users are on BYOD devices that are not joined to the Active Directory domain.
I am looking for a solution to integrate these systems more efficiently with only one captive portal for both NAC and FortiGate firewall.
Any recommendations or guidance on how to achieve this would be greatly appreciated! Thank you in advance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Sadhi
Basically you keep authenticating with your NAC via RADIUS, and FGT listens for RADIUS accounting records, and so FGT will record the user info (user, group, IP), and you can use them in your firewall rules.
You can start here.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/85730/radius-single-sign-on-rsso-agent
But I guess this is not the unique existing solution for your requirement.
For example there should be a solution where you pull (or forward) login events from your (RADIUS) NAC to your FAC, and then use them on your FortiGate. Or you can configure your NAC to authenticate users from your FAC, and then use them on your FortiGate.
Hope it helps.
Since now you have brought FortiAuth in the picture.. is it also playing the role for user auth?
Also in the FGT lan to internet policy have you called user group in that policy?
Created on 12-08-2024 07:15 AM Edited on 12-08-2024 07:17 AM
Dear @sjoshi ,
FortiAuthenticator is a fresh device with just interface and static route configurations.
So basically your NAC device is also performing the authentication then again the FortiGate correct?
Yes.
NAC authenticates the user first. Then the firewall.
then it is expected to get 2 trigger. I believe you have used user group on fortigate internet policy. So whenever traffic matches that policy captive portal will get trigger.
You can either remove the user group from fgt policy or remove the auth from the NAC and only use it to assign the respective vlan
Hi Sadhi
If you are using RADIUS for WiFi authentication then RSSO can be a solution.
Hi Sadhi
Basically you keep authenticating with your NAC via RADIUS, and FGT listens for RADIUS accounting records, and so FGT will record the user info (user, group, IP), and you can use them in your firewall rules.
You can start here.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/85730/radius-single-sign-on-rsso-agent
But I guess this is not the unique existing solution for your requirement.
For example there should be a solution where you pull (or forward) login events from your (RADIUS) NAC to your FAC, and then use them on your FortiGate. Or you can configure your NAC to authenticate users from your FAC, and then use them on your FortiGate.
Hope it helps.
Dear @AEK ,
Thank you for providing this information. The solution appears to be quite promising, and I appreciate your effort in sharing it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.